Mini Shai-Hulud Malware Resurfaces, Compromising Hundreds of npm Packages
A self-replicating malware campaign known as Mini Shai-Hulud has re-emerged, affecting hundreds of npm packages. The threat actor, identified as TeamPCP, has been linked to previous waves of the same campaign. This latest variant is more advanced, capable of spreading autonomously and installing persistent backdoors at the operating system level. The malware activates when an affected software package is installed, gaining immediate access to the machine. It harvests sensitive data such as GitHub tokens, npm tokens, SSH keys, and cloud provider credentials. The stolen data is sent to attacker-controlled GitHub repositories. The malware also infects other Node.js projects on a developer's computer, potentially compromising entire workstations. Security researchers have identified popular data visualization software and utilities as targets, including Alibaba's AntV and TallyUI. The campaign remains active, with the number of affected packages expected to grow. 
